So a malicious app could use this technique to gain access to Google account parts without asking for them?
-
-
Rosyna Keller Retweeted Rosyna Keller
luckily all of it is now fixed.https://twitter.com/rosyna/status/752931168664727552 …
Rosyna Keller added,
1 reply 0 retweets 0 likes -
Sarcasm? The important part is how they could get all permissions without asking, no?
1 reply 0 retweets 0 likes -
No, I'm quite serious. The app update fixes it.
1 reply 0 retweets 0 likes -
If you were asking why it didn't notify before, it's just a WebView. The app has control over it.
2 replies 0 retweets 0 likes -
They don't use the proper SFSafariViewController for OAuth. See 23:10 at https://developer.apple.com/videos/play/wwdc2015/504/ …
1 reply 0 retweets 0 likes -
So a malicious app can just choose to do it the "wrong" way and stay under the radar?
1 reply 0 retweets 0 likes -
Correct. After all, if they use a WebView, you are typing your username and password in the app.
3 replies 0 retweets 0 likes -
But wait,even with the updated app I'm prompted for my user/pass, unlike Android. Limitation in iOS?
1 reply 0 retweets 0 likes -
Replying to @wdormann @SwiftOnSecurity
No, iOS doesn't have a system Google account. Android does so Pokémon Go just hijacks/uses that instead.
2 replies 0 retweets 0 likes
So any iOS app can easily phish a user for their Google credentials?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.